Information Technology Department

Policy Document

Key Management& Card Data Encryption Policy Page 1

Key Management& Card Data Encryption Policy

Document Summary

Item

Value

Organization

Information Dynamics

Document Name

Key Management & Card Data Encryption Policy

Classification

Internal

Compliance Reference To:

ISO 27001:2013, PCI DSS

Document Revision History

Date

Version

Prepared By

01 November 2018

1.1

Information Dynamics

December 2019

1.2

Information Dynamics

December 2020

1.3

Chandrasekar

Document Review History

Reviewed By

Version

Date

Signature

Shibin

1.2

December 2019

Shibin

1.3

December 2020

Information Technology Department

Policy Document

Key Management& Card Data Encryption Policy Page 2

1. Scope

This policy document addresses Information Dynamics key management requirements and credit

card data encryption.

ISO 27001:2013 Reference

A.10.1.1

Policy on the use of cryptographic controls

A.10.1.2

Key management

2. Policy

 Credit Card data whenever it occurs in conjunction with PAN must be encrypted. This is

applicable to all data stored including data on database, portable digital media, backup

media, in logs, and data received from or stored by wireless networks.

 Encryption of card data will be carried out using Symmetric Key Encryption: AES 256

bits, or 3DES 128 bits with associated Key management procedures Asymmetric Key

Encryption: RSA 2048 Bits, Deffie Hellman 2048 Bits, El Gamal 2048 Bits

 The MINIMUM account information that must be rendered unreadable is the PAN.

 Encryption Keys will be stored in a location separate from the encrypted data.

 Cardholder data on removable media will be encrypted wherever stored.

 Native File System disk encryption will not be used to encrypt credit card data.

 Encryption keys used for encryption of cardholder data will be protected against both

disclosure and misuse by:

 Restricting access to keys to the fewest number of custodians necessary

 Secure storage of keys in the fewest possible locations and forms

 Key management processes and procedures for keys used for encryption of cardholder

data will be documented and implemented for:

 Generation of strong keys-Key generation process and logic with description.

 Secure key distribution- How the keys are distributed securely.

 Secure key storage- Storage location of Key (Application path or Database)

 Periodic key changes- Define the cryptoperiod of Keys.

 Destruction of old keys- Secure Deletion method of keys.

Information Technology Department

Policy Document

Key Management& Card Data Encryption Policy Page 3

 Split knowledge and establishment of dual control of keys (so that it requires two

or three people, each knowing only their part of the key, to reconstruct the whole

key- Signed Key custodian forms needs to be provided for each user

(template for key custodian form attached in mail).

 Prevention of unauthorized substitution of keys

 Replacement of known or suspected compromised keys- Replacement

procedure in case of end of cryptoperiod or key compromise.

 Revocation of old or invalid keys (For RSA Keys only) - process of revocation

of keys.

 Requirement for key custodians to sign a form stating that they understand and accept

their key-custodian responsibilities-Signed Key custodian forms needs to be

provided for each user (template for key custodian form attached in mail).